CORS
Cross-Origin Resource Sharing support is baked into the framework core, and hence there is no need to install any additional packages.
Make sure CORS is enabled inside the config/cors.ts
file by setting the enabled
property to true.
If the config file is missing, then create a new one manually and copy/paste the contents from the CORS stub .
{
"enabled": true
}
Allowed origin
You can control the origins to allow for the CORS request using the origin
property. This property controls the Access-Control-Allow-Origin
header.
Boolean value
Setting the value to true
will allow any origin. Whereas setting the value to false
will disallow any origin.
{
origin: true
}
String or array of origins
You can allow one or more origins by defining them as a string or an array of strings.
{
origin: 'adonisjs.com',
}
// or
{
origin: ['adonisjs.com']
}
Wildcard
Set the value of Access-Control-Allow-Origin
to a wildcard.
{
origin: '*'
}
Function
You can also define a function as the value for the origin
property to decide which origin to allow or disallow at runtime.
The method receives the current origin as the only argument and must return a boolean, a wildcard, or a string/array of allowed origins.
const ALLOWED_ORIGINS = []
{
origin: (requestOrigin: string) => {
return ALLOWED_ORIGINS.includes(requestOrigin)
}
}
Allowed methods
The methods
property controls the method to allow during the preflight request. The Access-Control-Request-Method
header value is checked against the allowed methods.
{
methods: ['GET', 'HEAD', 'POST', 'PUT', 'DELETE']
}
Allowed headers
The headers
property controls the headers to allow during the preflight request. The Access-Control-Request-Headers
header value is checked against the headers
property.
Boolean value
Setting the value to true
will allow all the headers. Whereas setting the value to false
will dis-allow all the headers.
{
headers: true
}
String or array of headers
You can allow one or more headers by defining them as a string or an array of strings.
{
headers: [
'Content-Type',
'Accept',
'Cookie'
]
}
Function
You can also define a function as the value for the headers
property to decide which headers to allow or disallow at runtime.
The method receives the current header value as the only argument and must return a boolean or a string/array of allowed origins.
const ALLOWED_HEADERS = []
{
headers: (requestHeaders: string) => {
return ALLOWED_ORIGINS.includes(requestHeaders)
}
}
Exposed headers
The exposeHeaders
property controls the headers to expose via Access-Control-Expose-Headers
header during the preflight request.
{
exposeHeaders: [
'cache-control',
'content-language',
'content-type',
'expires',
'last-modified',
'pragma',
]
}
Allow credentials
The credentials
property controls whether or not to set the Access-Control-Allow-Credentials
header during the preflight request.
{
credentials: true
}
Max age
The maxAge
property controls the Access-Control-Max-Age
response header. The value is in seconds.
- Setting the value to
null
will not set the header. - Whereas, setting it to
-1
does set the header but disables the cache.
{
maxAge: 90
}